Yu CDEN,Gang LIANG,Tao LI

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.07.034

2011-01-01

Computer Engineering and Applications Journal

Abstract:Network Intrusion Detection Systems(NIDS) often has high loss rate because of the high speed of data flow in high-speed net.This performance is improved by load balancing scheme developed for parallel NIDS based on prediction.This scheme takes the load of each sensor as observing value through relevant measurement,the global predictive model of chaotic time series as predictive method,and it balances the load according to the predictive load.Results of the simulation verify that the proposed scheme can balance load effectively and reduce the packet loss rate.

JIANG Wenbao,HAO Shuang,DAI Yiqi,LIU Tinghua

DOI: https://doi.org/10.3321/j.issn:1000-0054.2006.01.028

2006-01-01

Abstract:The performance of high-speed network intrusion detection systems(nIDSs) is improved by load balancing algorithms developed for high-speed nIDSs.Three load balancing policies were analyzed to develop a flow-based dynamic load balancing algorithm based on nIDSs using multiple detection engines.The algorithm divides the data stream according to the current value of each detection engine's load using a dynamic feed and prediction mechanism.The incoming data packets for a new session are forwarded to the engine that currently has the lightest load.Test results show that the algorithm performs better than the Round Robin algorithm,especially when a large number of concurrent detection engines are used in heavy network traffic environments.

J Gong,S Lu,Sy Rui

2004-01-01

Abstract:Using the concept of bit entropy and bit flow entropy, a novel load-balancing algorithm named Dimension-based Classification Algorithm (DCA) is introduced in this paper, aiming at implementing NIDS in high-speed network with traffic load up to Gbps. Based on the contents of fields in IP packet header and some simple operations, this algorithm can keep the semantic relativities among packets in a high bandwidth network environment while distributing workload to different processing node. It has a fairly good load-balancing feature in both macroscopical and microscopical senses for high-speed intrusion detection. The selection of operation and operand of DCA is discussed in detailed, and their efficiency is evaluated.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Daxin Tian,Yanheng Liu,Yang Xiang

DOI: https://doi.org/10.1007/s10207-008-0061-2

2010-01-01

Journal of Software

Abstract:As network traffic bandwidth is increasing at an exponential rate, it’s impossible to keep up with the speed of networks by just increasing the speed of processors. Besides, increasingly complex intrusion detection methods only add further to the pressure on network intrusion detection (NIDS) platforms, so the continuous increasing speed and throughput of network poses new challenges to NIDS. To make NIDS usable in Gigabit Ethernet, the ideal policy is using a load balancer to split the traffic data and forward those to different detection sensors, which can analyze the splitting data in parallel. In order to make each slice contains all the evidence necessary to detect a specific attack, the load balancer design must be complicated and it becomes a new bottleneck of NIDS. To simplify the load balancer this paper put forward a distributed neural network learning algorithm (DNNL). Using DNNL a large data set can be split randomly and each slice of data is presented to an independent neural network; these networks can be trained in distribution and each one in parallel. Completeness analysis shows that DNNL’s learning algorithm is equivalent to training by one neural network which uses the technique of regularization. The experiments to check the completeness and efficiency of DNNL are performed on the KDD’99 Data Set which is a standard intrusion detection benchmark. Compared with other approaches on the same benchmark, DNNL achieves a high detection rate and low false alarm rate.

蔡志平,刘书昊,王晗,曹介南,徐明

DOI: https://doi.org/10.3778/j.issn.1673-9418.1212017

2013-01-01

Abstract:The performance of single setup based network intrusion detection system (NIDS) is used to be improved by using custom hardware or modifying detection algorithms, but it wouldn’t meet the requirement for link speed up to 10 Gb/s. Parallel detection using multi detection sensors is the import way to implement the high performance intrusion detection. The parallel detection system can coordinately use multiple detection sensors to detect intrusions in parallel, which characterizes it with high performance and scalability. This paper summarizes the challenges of keeping the proof used for detecting attacks and balancing the load among sensors, and discusses various solutions to the challenges. This paper also considers the advantages of existing parallel detection technologies, proposes a uniformed parallel detection architecture (UPDA) that supports parallel detection with multi detection sensors. Based on NetMagic platform and UPDA, this paper designs and implements a parallel intrusion detection prototype system, and evaluates its performance in the network environment.

Wenbao Jiang,Hua Song,Yiqi Dai

DOI: https://doi.org/10.1016/j.cose.2004.07.005

2005-01-01

Abstract:Network-based intrusion detection systems (NIDSs) frequently have problems with handling heavy traffic loads in real-time, which result in packet loss and false negatives. This paper presents a high-performance network intrusion detection system, called HPMonitor, which combines a high-efficiency detection engine and a load-balancing device to address these problems. The paper describes HPMonitor's system architecture, discusses a flow-based dynamic load-balancing algorithm called dynamic least load first (DLLF) algorithm, and introduces a new multi-pattern string matching algorithm called shift max algorithm (SMA). The test results reveal that the DLLF algorithm is an effective balancing algorithm for NIDS. Meanwhile, the experimental results show that the SMA algorithm is faster in searching large sets of patterns when compared with other algorithms, and its performance is affected little when the patterns set number increases.

WU Zhong,LIU Yan-heng,TIAN Da-xin,ZHANG Yuan-yuan

2007-01-01

Journal of Computer Applications

Abstract:The processing speed of Network Intrusion Detection systems (NIDS) is still low compared with the speed of networks. As a result, few NIDS are applicable in a high-speed network. A distributed NIDS for high-speed networks was presented in this paper. The overall traffic was divided into small slices based on Netfilter, and the algorithm of load balancing was given to ensure that a single slice contained all the necessary evidence to detect a specific attack. The results of experiments show that the packets are almost equally scattered to all NIDS, and the percentage of missed rate declined to 1/4 of single NIDS.

Hai-Guang LAI,Hao HUANG,Jun-Yuan XIE

DOI: https://doi.org/10.3321/j.issn:0254-4164.2007.04.007

2007-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:As the band of networks increases, the process speed of network-based intrusion detection systems (NIDSes) hardly keep up with the speed of networks. By arranging several sensors to deal with the traffic in parallel, the intrusion detection system's speed can be significantly increased. How to split the traffic to the sensors is the key problem of a parallel intrusion detection system. To resolve the problems, load balance, attack evidence keeping, and efficiency have to be concerned. Existing traffic partition algorithms cannot satisfy these requirements well, especially load balance, which directly affect the performance of a parallel intrusion detection system. A traffic partition algorithm called PABCS is proposed in the paper, which splits the traffic according to connections' states. PABCS provides better load balance than the usually used hash-based algorithm and guarantees that no attacks evidence for intrusion detection is lost after partition. Moreover, in the experiment, the algorithm's process speed reaches 1 Gbps.

Wei Wei

2007-01-01

Abstract:Network Intrusion Detection System (NIDS) is an important and practical tool for network security. To guarantee a precise detection the NIDS must detect packets at a wire speed. However, with the recent trend of high-speed networks, the capability of a single NIDS can not meet the speed’s demand, resulting in rising of false negatives. To promote the NIDS performance and efficiency, present studies on IDSs for high-speed network monitoring have begun to choose the distributed architecture as an alterative, first suggested by Christopher Kruegel et al . In such a design, the incoming network traffic is disseminated to a pool of sensors, which process a fraction of the whole traffic, reducing the possibility of packet loss caused by overload.

YX Jiang,C Lin,ZG Shan,Z Chen

2004-01-01

Abstract:The main problem existed in the Network-based Intrusion Detection System (NIDS) is that the data-processing ability of classical centralized intrusion detection architecture does dissatisfy the increasing requirement of high-speed network. To resolve this problem, especially in real-time online intrusion detection, a NIDS cluster scheme is firstly introduced in this paper. Secondly, given the high resource demands and the special load-balancing characteristics in NIDS cluster, three optimized polices to improve the performance of NIDS cluster are proposed, i.e. Early Simple Packet Filter (ESPF), Adaptive Hash Load-Balancing (AHLB) algorithm, Priority Scheduling with Buffer Limited (PSBL). All the optimized measures are in collaboration with one another and provide the NIDS cluster scalability, adaptability, and high performance. Moreover, with the goal of analyzing the performance of NIDS cluster a Stochastic Petri Net (SPN) model is proposed. To cope with the well-known state space explosion problem, we propose an approximate analysis technique, which can significantly reduce the computing complexity of the model. In the end, the numerical results of the performance analysis for those schemes are presented, and some valuable conclusions are recommended which are suitable for NIDS cluster to achieve high performance.

Zhuojun Zhuang,Yuan Luo,Minglu Li,Chuliang Weng

DOI: https://doi.org/10.1109/NPC.2008.66

2008-01-01

Abstract:As network becomes faster, there is an emergence need for parallel intrusion detection techniques to keep up with the rapid increase in link speed. Resource scheduling plays a key role in parallel detection schemes. Its primary function is to assist a parallel network-based intrusion detection system (NIDS) to achieve high performance in network environment. In this paper, we introduce an abstract NIDS model and a related new resource scheduling strategy on multi-core platform. This strategy provides a resource configuration scheme by comprehensively considering many performance metrics. Preliminary examples demonstrate the effectiveness of our approach and present a first experimental evaluation.

WANG Zheng-xia,LIU Xiao-jie,LIANG Gang

DOI: https://doi.org/10.3724/sp.j.1087.2011.00609

2011-01-01

Journal of Computer Applications

Abstract:With the rapid development of Internet bandwidth,the parallel processing technique can greatly improve the performance of network intrusion detection system.Network Intrusion Detection System(NIDS) in parallel environment requires complete connection while balancing the traffic load.That is,packets belonging to one session should go to the same processing node.Based on the stability and balance characteristics of B+ tree,this paper proposed a feedback load balancing algorithm based on B+ tree fast tuning.B+ tree has characteristics of high search efficiency and stability.This algorithm tuned the B+ tree structure and remapped flow table when unbalanced.The simulation results show that this algorithm is able to balance the connection density of B+ tree,achieves a really satisfactory balance of the sensors' load and reduces the packet loss rate.

Yanheng Liu,Daxin Tian,Xuegang Yu,Jian Wang

DOI: https://doi.org/10.1007/11893295_23

2006-01-01

Abstract:To make network intrusion detection systems can be used in Gigabit Ethernet, a distributed neural network learning algorithm (DNNL) is put forward to keep up with the increasing network throughput. The main idea of DNNL is splitting the overall traffic into subsets and several sensors learn them in parallel way. The advantage of this method is that the large data set can be split randomly thus reduce the complicacy of the splitting algorithm. The experiments are performed on the KDD'99 Data Set which is a standard intrusion detection benchmark. Comparisons with other approaches on the same benchmark show that DNNL can perform detection with high detection rate.

Jia-chun LI,Ling ZHANG

DOI: https://doi.org/10.3321/j.issn:1000-436X.2006.z1.014

2006-01-01

Abstract:Nowadays it is hot and difficult to improve attack detection rate and processing capability of intrusion detection system on high-speed environment. Parallel IDS based on network processor (NPBPIDS) is researched and implemented in this paper. The following methods are incorporated to improve system performance: the first is the use of IXP2400 network processor, where the traffics are collected speedily and splitted so as to keep streams as evenly loaded as possible. Early filtering of no payload packets and session-oriented dynamic feedback load balancing algorithm are used in traffic splitter. The second is the use of host arrays where the content of traffics with payload are detected. The experimental results demonstrate that it is availability and feasibility.

Wei Lin,XiaoFei Wang,YaXuan Qi,Derek Pao,Bin Liu

DOI: https://doi.org/10.1109/INFCOMW.2009.5072152

2009-01-01

Abstract:In this paper, two-stage NIDS architecture is proposed, which aims to both increase the throughput and reduce memory cost. The contributions of this work are listed below.

Amjad Amjad,Nizar Alhafez,Iyad Al Al-khayat,,,

DOI: https://doi.org/10.54216/jisiot.120110

2024-01-01

Journal of Intelligent Systems and Internet of Things

Abstract:In the realm of cybersecurity, the incessant evolution of network attacks necessitates advanced and robust intrusion detection systems (IDS). The major issues with these systems are numerous: false positivenegative alarms, delayed response and detection time, size of processed data, adaptability to future threats, scalability of the system, difficulty in detecting distributed attacks, and downtime (fault tolerance). We propose a system that introduces a distributed framework aimed at enhancing network security by effectively identifying subtle deviations from normal network behavior. This is achieved through transfer learning based on artificial neural networks, and support vector machine (SVM), capitalizing on their complementary strengths in recognizing complex patterns and addressing high-dimensional datasets. To validate the efficacy of the proposed approach, the NSL-KDD dataset is utilized within a distributed IDS architecture. It consists of several intrusion detection nodes representing subnetworks. A node consists of two agents that work collaboratively. A way is proposed to avoid interference between analysis agents: the network agents manager monitors the functioning of the nodes and displays the results of each vulnerability-detecting node in each subnet separately. Such communication between agents should reduce FPAS (false positive alarms) significantly. The Detection engine extracts relevant features of network attacks to solve the problem of SVM in processing huge sizes of data and detect adaptive future threats to detect famous distributed denial of services (DDOS) attacks in real-time. The system is highly scalable by increasing the number of intrusion detection system nodes if necessary. Central processing is avoided to circumvent a system failure situation, where processing and decision-making take place at the detection node level within each subnet.

Zhihao Wang,Dingde Jiang,Yuqing Wang,Junyang Zhang

DOI: https://doi.org/10.1007/978-3-030-72792-5_20

2020-01-01

Abstract:With the development of mobile Internet and cloud computing, the amount of network traffic has been significantly increased. Security problems have drawn a lot of attention, while traditional methods are becoming increasingly unsuitable for it. In this paper, three machine learning algorithms are employed to detect network intrusion, including KNN, Random Forest, and Multilayer Perceptron. Performance evaluation and comparison between them are conducted, in terms of precision, recall, training time, etc. Simulation results on the NSL-KDD, a benchmark data set of network intrusion detection, show that the Random Forest algorithm exhibits higher detection accuracy and remarkably shorter training time.

Ghulam Mohi-Ud-Din,Jiangbin Zheng,Zhiqiang Liu,Muhammad Asim,Jiajun Chen,Jinjing Liu,Zhijun Lin

DOI: https://doi.org/10.1109/vrhciai57205.2022.00051

2022-01-01

Abstract:Network traffic data has developed into an appealing target for attacks as new network communication services have drawn more attention. Due to the enormous number of data these systems create, conventional intrusion detection systems (IDS) cannot detect intruder behaviors in large-scale network systems. To detect malicious assaults early on, an effective IDS must be able to scan massive volumes of network traffic data quickly. In order to identify various types of intrusion in network systems, this study introduces a unique distributed network IDS (NIDS). The suggested NIDS is built on a distributed random forest that can analyze huge amounts of data quickly. The two steps of the suggested method are the traffic gathering module and the attack detection module. In VANETs, the random forest method was employed for real-time DDoS attack detection. A variety of performance criteria, including accuracy, precision, recall, and F1 score, were tested on the system to confirm the performance of the suggested framework. The proposed method achieves improved classification accuracy, according to the results. The suggested approach is suitable for complicated systems with high speed and low false alarm rates that require real-time intrusion detection.